Firewall bypass issues

Hi there,
We have a WSUS 3.1 SP1 server.
Clients connect to it for updates.
Now we implemented Smartfilter to filter websites.
Some computers and servers don't update anymore.
Upon investigation I found that they want to go to update.microsoft.com
which is blocked when the user is not authenticated.
Running clientdiag confirms this with the error 0x80072efd.

My questions are:
- Why does WSUS wants to go there instead of our WSUS server?
- Is it possible to change this behavior or do we have to allow anonymous
access to the windowsupdates links (which we don't like)?

"Vladimir" <> wrote in message
news:18413FA2-39D3-4FD4-B347-...
> Hi there,
> We have a WSUS 3.1 SP1 server.
> Clients connect to it for updates.
> Now we implemented Smartfilter to filter websites.
> Some computers and servers don't update anymore.
> Upon investigation I found that they want to go to update.microsoft.com
> which is blocked when the user is not authenticated.
> Running clientdiag confirms this with the error 0x80072efd.
>
> My questions are:
> - Why does WSUS wants to go there instead of our WSUS server?

The client would only want to go there if you've not properly configured and
applied the policy to direct it to the WSUS Server.

Or, if you implemented the WSUS Server while the client was engaged in an
active download session using Automatic Updates and those download requests
have not been cleared from the client's BITS queue.


> - Is it possible to change this behavior

Figure out why the client isn't talking to the WSUS Server.


> or do we have to allow anonymous access to the windowsupdates links (which
> we don't like)?

At some point you're going to *NEED* to execute a connection to the Windows
Update or the Microsoft Update site. I can just about guarantee that, so
you'll have to deal with this somehow. If you're interested in blocking user
access to the WU/MU services, there are *BETTER* ways to achieve that than
using a web filtering tool.

For now, you already have the answer to your question in the output of the
Client Diagnostic Tool. Post it and I'll explain.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Hi lawrence,
Thanks for your reply!

Clientdiag gives no errors anymore since I logged into Smartfilter (am
authorised now).

But here's the windowsupdate.log. I left out the date and timestamp and
change our domainname.
The error code is different than what I told before, btw.
I think the problem is the Regulation server path.

#############
## START ## AU: Search for updates
#########
<<## SUBMITTED ## AU: Search for updates [CallId =
{3860F7BE-10DD-4780-9045-8D7D00F30CF4}]
*************
** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
*********
* Online = Yes; Ignore download priority = No
* Criteria = "IsHidden=0 and IsInstalled=0 and
DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and
IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or
IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and
IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and
DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
* ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}
* Search Scope = {Machine}
Validating signature for
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default \wuident.cab:
Microsoft signed: Yes
Validating signature for
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default \wuident.cab:
Microsoft signed: Yes
WARNING: Send failed with hr = 80072f78.
WARNING: SendRequest failed with hr = 80072f78. Proxy List used: <(null)>
Bypass List used : <(null)> Auth Schemes used : <>
WARNING: WinHttp: SendRequestUsingProxy failed for
<http://updates.mycompany.com/selfupdate/WSUS3/x86/Other/wsus3setup.cab>.
error 0x80072f78
WARNING: WinHttp: DoFileDownload MakeRequest failed. error 0x80072f78
WARNING: Send failed with hr = 80072f78.
WARNING: SendRequest failed with hr = 80072f78. Proxy List used: <(null)>
Bypass List used : <(null)> Auth Schemes used : <>
WARNING: WinHttp: SendRequestUsingProxy failed for
<http://updates.mycompany.com/selfupdate/WSUS3/x86/Other/wsus3setup.cab>.
error 0x80072f78
WARNING: WinHttp: DoFileDownload MakeRequest failed. error 0x80072f78
WARNING: Send failed with hr = 80072f78.
WARNING: SendRequest failed with hr = 80072f78. Proxy List used: <(null)>
Bypass List used : <(null)> Auth Schemes used : <>
WARNING: WinHttp: SendRequestUsingProxy failed for
<http://updates.mycompany.com/selfupdate/WSUS3/x86/Other/wsus3setup.cab>.
error 0x80072f78
WARNING: WinHttp: DoFileDownload MakeRequest failed. error 0x80072f78
WARNING: Send failed with hr = 80072f78.
WARNING: SendRequest failed with hr = 80072f78. Proxy List used: <(null)>
Bypass List used : <(null)> Auth Schemes used : <>
WARNING: WinHttp: SendRequestUsingProxy failed for
<http://updates.mycompany.com/selfupdate/WSUS3/x86/Other/wsus3setup.cab>.
error 0x80072f78
WARNING: WinHttp: DoFileDownload MakeRequest failed. error 0x80072f78
WARNING: DownloadFileInternal failed for
http://updates.mycompany.com/selfupd...sus3setup.cab: error
0x80072f78
FATAL: IsUpdateRequired failed with error 0x80072f78
WARNING: SelfUpdate: Default Service: IsUpdateRequired failed: 0x80072f78
WARNING: SelfUpdate: Default Service: IsUpdateRequired failed, error =
0x80072F78
* WARNING: Skipping scan, self-update check returned 0x80072F78
* WARNING: Exit code = 0x80072F78
*********
** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
*************
WARNING: WU client failed Searching for update with error 0x80072f78
>>## RESUMED ## AU: Search for updates [CallId = {3860F7BE-10DD-4780-9045-8D7D00F30CF4}]
# WARNING: Search callback failed, result = 0x80072F78
# WARNING: Failed to find updates with error code 80072F78
#########
## END ## AU: Search for updates [CallId =
{3860F7BE-10DD-4780-9045-8D7D00F30CF4}]
#############
AU setting next detection timeout to 2009-08-14 07:52:52
Setting AU scheduled install time to 2009-08-15 02:00:00
REPORT EVENT: {59E8D093-595D-4C7D-A651-45BF73BFC037}
WARNING: Cached cookie has expired or new PID is available
Initializing simple targeting cookie, clientId =
08afe984-1453-4d15-b927-e9299aaf218f, target group = , DNS name =
sbs2003.litchfields.local
Server URL =
http://updates.mycompany.com/SimpleA...impleAuth.asmx
Uploading 1 events using cached cookie, reporting URL =
http://updates.mycompany.com/Reporti...ebService.asmx
Reporter successfully uploaded 1 events.
*********** DnldMgr: Regulation Refresh [Svc:
{7971F918-A847-4430-9279-4A52D1EFE18D}] ***********
Contacting regulation server for 4 updates.
Validating signature for
C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\wuredir.cab:
Microsoft signed: Yes
Regulation server path:
http://update.microsoft.com/v6/Updat...egulation.asmx.
Per-Update: 74c5384c-88c4-4502-9ff1-ce3fc242abef at rate 2500
Per-Update: d5100858-9cd1-40ee-8041-fc9778767e3e at rate 2500
Per-Update: 3b26c788-fdb1-48b8-8632-5e37f60e29b3 at rate 2500
Per-Update: 3336d3c1-57cc-44f2-b0b0-08aa487a7e33 at rate 2500
* Regulation call complete. 0x00000000
*********** DnldMgr: New download job [UpdateId =
{3336D3C1-57CC-44F2-B0B0-08AA487A7E33}.100] ***********
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
3336D3C1-57CC-44F2-B0B0-08AA487A7E33 is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
* Update is not allowed to download due to regulation.
*********** DnldMgr: New download job [UpdateId =
{3B26C788-FDB1-48B8-8632-5E37F60E29B3}.100] ***********
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
3B26C788-FDB1-48B8-8632-5E37F60E29B3 is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
* Update is not allowed to download due to regulation.
*********** DnldMgr: New download job [UpdateId =
{74C5384C-88C4-4502-9FF1-CE3FC242ABEF}.100] ***********
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
74C5384C-88C4-4502-9FF1-CE3FC242ABEF is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
* Update is not allowed to download due to regulation.
*********** DnldMgr: New download job [UpdateId =
{D5100858-9CD1-40EE-8041-FC9778767E3E}.100] ***********
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
D5100858-9CD1-40EE-8041-FC9778767E3E is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
* Update is not allowed to download due to regulation.
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
3336D3C1-57CC-44F2-B0B0-08AA487A7E33 is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
3B26C788-FDB1-48B8-8632-5E37F60E29B3 is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
74C5384C-88C4-4502-9FF1-CE3FC242ABEF is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
Regulation: {7971F918-A847-4430-9279-4A52D1EFE18D} - Update
D5100858-9CD1-40EE-8041-FC9778767E3E is "PerUpdate" regulated and can NOT
download. Sequence 8392 vs AcceptRate 2500.
#############

"Vladimir" <> wrote in message
news:B463178D-7A60-4618-9DD5-...

> Clientdiag gives no errors anymore since I logged into Smartfilter (am
> authorised now).

Now you need to configure those credentials for the WinHTTP proxy to use.

Easiest way to do that on a WinXP system is to run the command 'proxycfg -u'
which will copy the authorization credentials from the IE setup to the
WinHTTP setup.


> I think the problem is the Regulation server path.

The presence of a "regulation server path" is almost always an indication of
a left over download from an old AU session.

> WARNING: WinHttp: SendRequestUsingProxy failed for
> <http://updates.mycompany.com/selfupdate/WSUS3/x86/Other/wsus3setup.cab>.
> error 0x80072f78

0x80072F78 -2147012744 ERROR_HTTP_INVALID_SERVER_RESPONSE The server
response could not be parsed.

This error is quite often caused because an intervening device (like,
possibly, the web filter system - in this case), doesn't know how to handle
the traffic.

Frankly, my suggestion would be that the content going from the WUAgent to
the WSUS Server should be completely BYPASSING the webfilter system!

> *********** DnldMgr: Regulation Refresh [Svc:
> {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********
> Contacting regulation server for 4 updates.
> Validating signature for
> C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\wuredir.cab:
> Microsoft signed: Yes
> Regulation server path:
> http://update.microsoft.com/v6/Updat...egulation.asmx.
> Per-Update: 74c5384c-88c4-4502-9ff1-ce3fc242abef at rate 2500
> Per-Update: d5100858-9cd1-40ee-8041-fc9778767e3e at rate 2500
> Per-Update: 3b26c788-fdb1-48b8-8632-5e37f60e29b3 at rate 2500
> Per-Update: 3336d3c1-57cc-44f2-b0b0-08aa487a7e33 at rate 2500

These are leftover update downloads that have been orphaned when you
switched this client over to the WSUS Server.

Find the BITSADMIN.EXE v2.0 utility, copy it to this machine, and run this
command:
BITSADMIN /RESET /ALLUSERS

to clear the BITS download queue.


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin